Started off by
- Enabling unattended updates
- Enable only ssh login with key
- Create user with sudo privileges
- Disable root login
- Enable ufw with necessary ports
- Disable ping
- Change ssh default port 21 to something else.
Got the ideas from networkchuck
Did this on the proxmox host as well as all VMs.
Any suggestions?
You must log in or register to comment.
I have a camera outside, I’m a pretty big guy, and my rack was built inside my office so it can’t be moved quickly.
Oh, you mean digital security? Lol I have a lot of subnets and don’t forward in much traffic. The WiFi password I give out gets you on my kids network. Plus I run DPI and IDS. I use cloudflare DNS (sometimes operating an internal pihole too). And I don’t browse social media on PCs only on mobile. The only holes punched from WiFi to internal are for printing. And even the wired clients are segregated from my work network.
from the internet side, I lock down ssh or administrative stuff to local network, and specific IPs, like work. inside my network, everything has a password to access, no defaults. vlans for specific use servers, etc.
-
Don’t bother with disabling icmp. You’ll use it way more then it’s worth disabling, and something like
nmap -Pn -p- X.X.X.0/24will find all your servers anyways (same can be said for ssh and port 22. But moving that does stop some bots) -
As long as i go out not exposing anything the the global internet, you really don’t need a lot. The fire wall should already deny all inbound traffic.
The next step is monitoring. It’s one thing to think your stuff is safe and locked down. It’s another thing to know your stuff is safe. Something like Observium, Nagios, Zabbix, or otherwise is a great way to make sure everything stays up, as well as having insights into what everything it doing. Even Uptime Kuma is a good test. Then something like Wazuh to watch for security events and OpenVAS or Nessus, to look holes. I’d even though in CrowdSec for host based virus detection. (Warning, this will quickly send you down the rabbit hole of being a SOC analyst for your own home)
-
- Domain auth (1 place to set passwords and SSH keys), no root SSH
- SSH by key only
- Passworded sudo (last line of defence)
- Only open firewall hole is OpenVPN with security dialled up high
- VLANs - laptops segregated from servers
- Strict firewall rules between VLANs
- TLS on everything
- Daily update check alerts (no automatic updates, but persists until I deal with them)
- Separate isolated syslog server for audit trails
- Cold backups
What are the risks of passwordless sudo? Is it mainly just if someone has physical access to the machine or if you run a malicious program?
If someone or something malicious gets a shell account on my systems, then it at least stops them doing anything system-wide. And yes, if a script is going to request admin rights to do something, it’ll stop right at the
sudoprompt. Passwordless, it could do stuff without you even being aware of it.Whether or not this is a line of defence at all is open to debate.
Enabling unattended updates -> Hell no. Regular Patchdays
Enable only ssh login with key -> yes
Create user with sudo privileges -> yes
Disable root login -> no
Enable ufw with necessary ports -> Basic iptables, but not on all hosts. But fail2ban
Disable ping -> nope
Change ssh default port 21 to something else. -> nopeRemember to configure fail2ban, the defaults are silly.
Also, these days I prefer crowdsec to fail2ban.
Can you give me ressources on how to configure f2b?
I usually leave the defaults, or maybe tweak the times a bit.
One could only enter my network thru vpn or nginx on 443 anyway, so I am not that worried
The majority of the default fail2ban installations only bans an IP for 10 minutes and uses a 10 minute findtime, e.g. slow brute forcing is not at all banned.
Before I switched to crowdsec (which I really recommend you do, its quite easy) I changed my bantime and findtime in /etc/fail2ban/jail.conf (I think I made a local file… read the file it should say) to something like 8 hours (e.g. change 10m to 640m for both those variables).
Well if you are using strong passwords or no passwords from outside at all, but key auth only, i think you are pretty in the safe side. As i said, i have no ssh port open to the internet. Raising the ban time could only lead to banning myself. 😀
But for ports open to the outside, yes. I ppbly would do that too. Plus hardening the ssh config a bit
I have an open ssh port and I use key auth with password as well as crowdsec. Even if people get my ssh key they would still need to know the password.